Yolan Romaillerhttps://romailler.ch/
Recent content on Yolan RomaillerHugo -- gohugo.ioen-usYolan RomaillerSat, 30 Jun 2018 23:30:00 +0200CTF Writeup / GoogleCTF 2018 / DM Collisionhttps://romailler.ch/2018/06/30/gctf18-notdes/
Sat, 30 Jun 2018 23:30:00 +0200https://romailler.ch/2018/06/30/gctf18-notdes/The challenge said:
Can you find a collision in this compression function? nc dm-col.ctfcompetition.com 1337 and gave us an attachment containing two python scripts: not_des.py and challenge.py.
Firstly, let's have a quick peek into not_des.py: it seems to be a regular implementation of the DES cipher, but given its name, it means something has been tampered with... It's probably the S-Boxes, but we'll be able to come back to this later.CTF Writeup / GoogleCTF 2018 / Perfect Secrecyhttps://romailler.ch/2018/06/24/gctf18-perfectrsa/
Sun, 24 Jun 2018 20:30:00 +0200https://romailler.ch/2018/06/24/gctf18-perfectrsa/After having great fun last year in Google CTF with a nice RSA challenge, and a couple of strange crypto schemes, and despite the lack of enthusiasm of my fellow team members, I decided to play again this year. And the first crypto challenge I solved was also about RSA, it said:
Perfect Secrecy This crypto experiment will help you decrypt an RSA encrypted message. nc perfect-secrecy.ctfcompetition.com 1337 And it provided us an attachment, which contained a file called flag.Understanding and implementing Manger attackhttps://romailler.ch/2018/04/05/manger-explained/
Thu, 05 Apr 2018 15:00:00 +0200https://romailler.ch/2018/04/05/manger-explained/The RSA cryptosystem has had its fair share of attacks over the years, but among the most impressive, you can find the infamous Bleichenbacher attack [Ble98], which doomed PKCS v1.5 in 1998. Nineteen years later, the ROBOT attack proved that the Bleichenbacher attack was still a concern today. Now, what alternatives to RSA PKCS v1.5 do we have? Well, its successor, RSA OAEP also known as RSA PKCS v2.1 is obviously a good candidate.CTF Writeup / Y-Not-CTF / SmS Secret Secure Serverhttps://romailler.ch/2017/11/17/ynot17-sms/
Fri, 17 Nov 2017 19:00:00 +0000https://romailler.ch/2017/11/17/ynot17-sms/<p><em>We were given a ssh username, server ip and public key using ECDSA, along with a <em>very secure RNG</em> python script used to generate the ECDSA key. Exploiting a weakness in the RNG, we can enumerate all possible keys and find the private key to log on the server.</em></p>Talkshttps://romailler.ch/page/talks/
Thu, 05 Oct 2017 23:00:00 +0000https://romailler.ch/page/talks/Reaping and breaking keys at scale: when crypto meets big data
Along with a public Github repo. Done with Nils Amiet.
11/08/18, Las Vegas, USA, 20 min
DEF CON 26
Practical fault attack against the Ed25519 and EdDSA signature schemes
Along with a research paper and a public Github repo. Done with Sylvain Pelissier.
25/10/17, Taipei, Taiwan, 25 min
FDTC 2017
Automated testing using CDF
29/07/17, Las Vegas, USA, 30 minDefeating Ed25519 and EdDSA using a fault attackhttps://romailler.ch/project/eddsa-fault/
Thu, 05 Oct 2017 20:48:00 +0000https://romailler.ch/project/eddsa-fault/This work was performed with my colleague Sylvain Pelissier. We demonstrated that the EdDSA signature scheme is vulnerable to single fault attacks, and mounted such an attack against the Ed25519 scheme running on an Arduino Nano board. We presented a paper on the topic at FDTC 2017, last week in Taipei.
As you all know, ECDSA is known for being the elliptic curve counterpart of the digital signature algorithm DSA. ECDSA is also notably known because of the PlayStation 3 hack in which an ECDSA private key could be retrieved because ECDSA wasn't properly randomized.Yao's Garbled Circuits and how to construct thosehttps://romailler.ch/2017/06/09/garbling_circuits/
Fri, 09 Jun 2017 23:22:00 +0000https://romailler.ch/2017/06/09/garbling_circuits/I recently answered a nice question about garbled circuits, and I wanted to share my explanations. So let us review how garbled circuits actually work and how we can construct some. I'll try to explain this from top to bottom:
The protocol Let Alice and Bob be willing to compute securely a function \(f(x,y)\) (for example, it could be \(f(x,y)=\min(x,y)\)) while keeping their respective inputs \(x\) and \(y\) secret.
In order to do so, they will first model the function \(f\) as a Boolean circuit, which is possible since there exists a Boolean circuit \(C\) that calculates the output of \(f\) for any function \(f\) with fixed size inputs [1].CTF Writeup / PlaidCTF / Echohttps://romailler.ch/2017/04/26/pctf17-echo/
Wed, 26 Apr 2017 19:00:00 +0000https://romailler.ch/2017/04/26/pctf17-echo/<p><em>We&rsquo;re given a webapp performing text2speech on a maximium of 4 tweets. Exploiting an remote command injection in the dockerized script generating the audio allows to decode remotely the flag before exfiltrating it using text2speech.</em></p>How (not) to break your (EC)DSAhttps://romailler.ch/2017/04/10/nobreak-ecdsa/
Mon, 10 Apr 2017 19:26:00 +0000https://romailler.ch/2017/04/10/nobreak-ecdsa/<p style="text-align: justify;">During an internal work project pertaining to automated cryptographic testing, I've discovered that many implementations don't respect standard specifications, especially signature algorithms. Let us take a deeper look into it. We will mostly discuss the DSA and ECDSA algorithms and their respective domains and parameters.</p>
<p style="text-align: justify;">It is important to know that both of those digital signature algorithms were brought to the scene by standards, respectively the <a href="http://dx.doi.org/10.6028/NIST.FIPS.186-4" target="_blank">NIST FIPS 186</a>, also known as the "Digital Signature Standard" and the <a href="http://webstore.ansi.org/RecordDetail.aspx?sku=ANSI+X9.62%3A2005" target="_blank">ANSI X9.62</a> (which is paywalled, but a free description is available here). Note that the FIPS 186 in its current 186-4 version also discuss ECDSA. This means that most implementers (hopefully) referred to those documents to add the algorithms to their software.</p>Various Linux tipshttps://romailler.ch/2017/03/20/linux/
Mon, 20 Mar 2017 21:56:00 +0000https://romailler.ch/2017/03/20/linux/Starting page logo with full disk encryption To change the grub starting page logo when using, as I currently do, Linux Mint (with LUKS encryption), you have to change it in /usr/share/plymouth/themes/mint-logo.
And then update your initramfs using sudo update-initramfs -u where the -u is there to tell it that we want to update an existing initramfs.
Software I like Since I haven&rsquo;t yet a list so big it would fit in its own blog post:Contacthttps://romailler.ch/page/contact/
Wed, 18 Jan 2017 01:13:50 +0000https://romailler.ch/page/contact/Contact You may easily reach me via Twitter @AnomalRoil. If you want to, you can also cold mail me, I&rsquo;m fine with this. If you wish to communicate with me in a secure way, you may want to use my PGP key whose fingerprint is: 9B52 42E1 A9D7 1F7C 1D06 E4DD F578 2536 7618 1666.
I&rsquo;m fine with a few different languages: 🇫🇷 🇺🇸 🇬🇧 🇩🇪
What&rsquo;s more, I&rsquo;m trying to operate by Crocker&rsquo;s Rules, so you can be informative.Manger's attack against RSA OAEPhttps://romailler.ch/2016/12/17/manger/
Sat, 17 Dec 2016 21:13:50 +0000https://romailler.ch/2016/12/17/manger/Not too long ago I published on Github Go code to perform the famous Manger&rsquo;s attack against RSA OAEP. This code allows us to leverage a padding Oracle in order to break RSA OAEP encryption, even though it has been mathematically proven secure&hellip; How come?! may be your first reaction, but although a scheme is secure it doesn&rsquo;t mean that its implementation aren&rsquo;t leaking knowledge which can be leveraged to break the said scheme!Yao's Garbled Circuits and TinyGarblehttps://romailler.ch/project/yao-garbled/
Thu, 18 Aug 2016 02:13:50 +0000https://romailler.ch/project/yao-garbled/TinyLib Since I wanted to learn Go and also to understand a bit better Yao&rsquo;s garbled circuit and try to use them in practice, I ended up creating a wrapper in Golang around the TinyGarble CLI tool, to allow easier usage of it. (Easier for me at least.)
TinyGarble Wrapper This wrapper consists in a library allowing to use the basic features of TinyGarble in your program through two methods:A ladder, a box and a wallhttps://romailler.ch/2015/06/30/ladder/
Tue, 30 Jun 2015 19:31:00 +0000https://romailler.ch/2015/06/30/ladder/I was recently reading a newspaper in the train and there was a little math riddle, I thought &quot;how funny, that's gonna be easy, let's do it&quot; and yet...
The problem goes as follow : in a barn, there is a 1 meter cubic box against a wall and a 4 meter ladder is leaning against the wall, touching the box at its corner. Here is a picture : IllustrationA strange ODBC driver problemhttps://romailler.ch/2015/04/14/odbc-cryptic/
Tue, 14 Apr 2015 02:13:50 +0000https://romailler.ch/2015/04/14/odbc-cryptic/ODBC Drivers I spent at least 6 hours knocking my head out because of some strange error the Qt OBDC driver was giving me when trying to access an Access Database file .accdb : Could not find installable ISAM.
What a strange problem! After playing a bit more with ODBC I also got a new error: Data source name not found and no default driver specified. And in the end the problem was coming from the file permissions themselves!Abouthttps://romailler.ch/page/about/
Fri, 03 Apr 2015 02:13:50 +0000https://romailler.ch/page/about/About me After doing a bilingual German&amp;French high school degree in Frauenfeld, I&rsquo;ve got a Bachelor Degree in Mathematics at the EPFL. I then decided that I wanted to work in IT security, possibly cryptography, and in order to do so, I kept going with a Master Degree in Communication Sciences oriented towards &ldquo;IT Security and Business Networks&rdquo;.
You can find me online under the &ldquo;AnomalRoil&rdquo; nickname.
About romailler.ch I basically wanted to have an easy to remember, easy to use email address ; I&rsquo;m born in Switzerland and romailler.A strange QSql Driver errorhttps://romailler.ch/2015/04/02/qt-accdb/
Thu, 02 Apr 2015 02:13:50 +0000https://romailler.ch/2015/04/02/qt-accdb/QSql Drivers I spent at least 3 hours playing with QSql drivers, source code, DLLs and googling around in order to get rid of an annoying error :
After recompiling the qmysql drivers, therefore reinstalling MySQL &amp; going through the pain of installing MS Visual Studio because it looked like Qt needed it to compile its qmysql driver (while it actually doesn&rsquo;t ; you can compile it using MinGW) I was finally able to tackle the problem!